Monday, 11 May 2026 ๐ŸŸ  medium

Daily Threat Report

205 SSH Connections
160 Login Attempts
18 Commands Run
63 SSH Unique IPs
30 Protocol Events
9 Protocol IPs
163 Web Honeypot Hits
48 Web Honeypot IPs

Top Attacker IPs

  1. ๐ŸŒ 80.94.92.182 BGPโ†—
  2. ๐ŸŒ 87.251.64.176 BGPโ†—
  3. ๐ŸŒ 79.124.40.70 BGPโ†—
  4. ๐ŸŒ 35.240.56.214 BGPโ†—
  5. ๐ŸŒ 45.148.10.121 BGPโ†—

Top Passwords Tried

  1. admin
  2. solana
  3. password
  4. 1234
  5. P

๐ŸŒ WEB HONEYPOT โ€” Galah LLM

AI-generated fake HTTP responses served to 163 scanner requests from 48 unique IPs. Model: qwen2.5:0.5b (local, offline).

Top Paths Probed

  1. /
  2. /sitemap.xml
  3. /login
  4. /favicon.ico
  5. /m5gbhlkoet8

Top User-Agents

  1. Mozilla/5.0 (Windows NT 10.0
  2. Win64
  3. x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  4. Mozilla/5.0 (compatible
  5. CensysInspect/1.1
  6. +https://about.censys.io/)
  7. Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko
  8. compatible
  9. ClaudeBot/1.0
  10. +claudebot@anthropic.com)
  11. Go-http-client/1.1
  12. Mozilla/5.0 zgrab/0.x
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
โ†’ 6 IPs โ†’ AbuseIPDB  (community confidence scores updated)
โ†’ 6 IPs โ†’ AlienVault OTX  (pulse indicators added)
โ†’ 6 IPs โ†’ Blocklist.de  (auto-ban list updated)
โ†’ 6 IPs โ†’ DShield/SANS  (global threat feed updated)

๐Ÿคฃ ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

๐Ÿ”‘ Hall of Shame โ€” Passwords

admin
solana
password
qwer1234
---fuck_you----

๐Ÿ’ป Commands They Tried

/bin/./uname -s -v -n -r -m
uname -a
uname -s -m

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 11 de May de 2026. Recorded 205 SSH connections on the Cowrie honeypot and 30 multi-protocol events on OpenCanary, from 72 unique IPs. 6 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 160 login attempts from 63 unique IPs. Attackers executed 18 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 30 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 9 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 163 HTTP requests from real scanners across 48 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

โ† All Reports ๐Ÿ›ก๏ธ Subscribe to blocklists โ†’